Control Considerations For Auditing the OFAC Affidavit Program

Control Considerations For Auditing the OFAC Affidavit Program Cheryl Sincock, CAMS-Audit June 2014 Statement of Intent

OFAC generally prohibits financial institutions from processing transactions involving sanctioned countries unless exempted by a specific regulatory provision. One provision is for the processing of certain transfers to or from sanctioned countries that represent non-commercial personal remittances. The intent of this paper is to look at transactions that may be exempted from U.S. Treasury s Sanctions and the controls that a bank should establish to mitigate risk of non-compliance with OFAC sanction regulations. OFAC has the capability to issue general and specific licenses that allow certain banking transactions with sanctioned countries, entities and individuals to occur. A general license authorizes a particular type of transaction without the need for an application to, or further permission from, OFAC. A specific OFAC license is issued on a case-by-case basis and authorizes an individual or entity to engage in specific transactions that would otherwise be prohibited by the given sanctions programs. For example, an individual or company may place a formal request with OFAC to receive a specific license to conduct business within a sanctioned country. Depending on OFAC s interpretation of the regulations and policy, the request may be approved or denied. Individuals planning to conduct such transactions, including the transfer of non-commercial family remittances to the United States, should always consult with OFAC. OFAC may not issue a license in all instances of non-commercial family remittance cases depending on the facts surrounding the proposed transactions. In those cases, OFAC licensing may provide requestors with verbal or written guidance noting the pertinent regulation citation permitting the transaction. As described above, an OFAC exemption authorizes the transfer of certain non-commercial wealth to or from sanctioned countries. As long as such transfers are remitted via non-sanctioned third countries such as the UAE and Kuwait. As a supplement to real-time screening 1 and to document such transactions, OFAC recommends that U.S. Banks establish an Affidavit Program for financial transactions involving U.S. sanctioned countries such as: Iran, Cuba, Syria, and Sudan. To document financial transactions involving these countries, the banks customers may provide a signed affidavit or declaration attesting to the nature of the transactions and the origination of the funds along with supporting documentation. OFAC has traditionally recommended such programs given the broad scope of the general licenses for non-commercial personal remittances from sanctioned countries and inherent challenge of both identifying such transaction and documenting their compliance with OFAC s regulations. 1 Given that most remittances are transferred directly from third countries the given payment messages will not reference the sanctioned country and thus not be interdicted by real-time screening systems. Therefore, affidavit programs are also generally used to establish enhanced control frameworks to proactively identify payments that may involve sanctioned countries as a supplement to routine payment screening. 2 P a g e

This paper will advocate best practices for evaluating your bank s Affidavit Program and developing an independent audit program to assess the effectiveness of the Affidavit Program. This scope will focus on U.S. banks. Background The effort against both the increasing threat of terrorism and the development and proliferation of weapons of mass destruction, has consistently involved the implementation and imposition of economic sanctions by the United Nations Security Council, the United States Government, and European Union Commission against offending nations. The U.S. Department of the Treasury s Office of Foreign Assets Control (OFAC) has responsibility for administering and enforcing U.S. economic and trade sanctions. Overall, the sanctions cover: (1) certain foreign countries, their governments and, in certain circumstances, their nationals; (2) individuals and entities, worldwide, engaged in criminal activities including the proliferation of weapons of mass destruction, terrorism, drug trafficking and transnational organized crime. OFAC has issued regulations to prohibit the supply of financial, material or other support to individuals, organizations and regimes engaged in activities that may harm the United States, its citizens, or its allies. OFAC s regulatory goals are effected by prohibiting U.S. persons 2, from engaging in financial transactions or having other dealings with sanctioned entities. The OFAC regulations require that accounts and other property in which a sanctioned country, entity or individual has an interest, must be either blocked (i.e., frozen) or rejected (i.e., returned), unless exempted by a specific regulatory provision (i.e., a license). 2 The term U.S. person is generally defined to include: (1) U.S. citizens and permanent resident aliens, wherever located; (2) U.S. companies and financial institutions, including their foreign branches; and (3) individuals physically. 3 P a g e

Comprehensive Sanctions Programs 3 Comprehensive economic and trade sanctions are in place against: Iran, Cuba, Syria, and Sudan. 4 31 CFR 560.550 for the Iran authorization 31 CFR 515.570 for the Cuba authorization 31 CFR 542.512 for the Syria authorization 31 CFR 538.528 for the Sudan authorization See broad overview of authorizations in Appendix A Penalties for Violations 5 Substantial civil and criminal penalties may be imposed against U.S. persons, including U.S. banks and financial institutions and their employees, for violations of the OFAC regulations. For example, willful or knowing violations of certain OFAC regulations by individuals may result in criminal fines up to $1,000,000 per violation and/or imprisonment. In addition, civil fines of up to $250,000 or twice the 3 For complete list of Comprehensive Sanctions go to: U. S. Department of Treasury. Resource Center. Financial Sanctions Programs. (5/24/14) http://www.treasury.gov/resource-center/sanctions/programs/pages/programs.aspx 4 U. S. Department of Treasury 2013 OFAC Financial Symposium Washington D.C. March 19, 2013 Pages 119-120 5 An Affidavit Program is a supplemental control to the bank s OFAC Compliance Program. The major enforcement actions that have occurred were not in regards to remittances, but rather, systematic stripping of wire information. 4 P a g e

amount of the prohibited transaction, per incident, may be imposed against both individuals and companies 6. In the News The Economist - June 14, 2014 - Big banks are cutting off customers and retreating from Markets for fear of offending regulators. Financial Institutions are culling banking relationships and retreating wholesale from markets, countries and lines of business that might attract the ire of regulators or prosecutors. So widespread is the practice that there is now an accepted term for it: derisking. It is fraying the network of relationships that tie the global financial system together, driving up the costs of finance for poor countries and people. The spark that ignited this bonfire of banking relationships was a series of prosecutions of big international banks in America for lapses in their controls relating to money-laundering, sanctions and the financing of terrorism. These included a $1.9 billion fine paid by HSBC and substantial fines meted out to Standard Chartered, ING and Barclays. BNP Paribas, France s biggest bank, is said to face a fine of as much as $10 billion related to breaches of American sanctions against Cuba, Iran and Sudan. The Use of Exchange Houses and Trading Companies to Evade U.S. Economic Sanctions Washington - The U.S. Treasury Department warned financial institutions to be on the lookout for money transfers sent by foreign exchange houses and trading companies that are actually an attempt to mask transactions on behalf of sanctioned Iranian entities. OFAC Advisory - January 10, 2013. 7 The Use of Exchange Houses and Trading Companies to evade sanctions against Iran 8 6 31 CFR Part 501 Economic Sanctions Enforcement Guidelines 7 U. S. Department of Treasury. OFAC Advisory - January 10, 2013. The Use of Exchange Houses and Trading Companies to evade sanctions against Iran http://www.treasury.gov/resource-center/sanctions/ofac-enforcement/pages/20130110.aspx 8 Third-country exchange houses are financial institutions licensed to deal in foreign exchange and transmit funds on behalf of individuals and companies. Trading companies are entities that are not licensed to transmit funds, but in practice operate as exchange houses and rely upon their bank accounts to transmit funds on behalf of third parties. 5 P a g e

OFAC advisory identifies the Iranian evasion techniques used to circumvent but also to adapt to the existing economic sanctions through the use of third country exchange and trading companies to access the U.S. financial system. The OFAC identified practices used by third country exchange houses and trading companies to circumvent international and U.S. sanctions against Iran; in particular: Omitting references to Iranian addresses Omitting the names of Iranian persons or entities in the originator or beneficiary fields; and Transmitting funds from an exchange house or trading company located in a third country to or through the U.S. on behalf of an individual or company located in Iran or on behalf of a U.S. designated person without referencing the involvement of Iran or the designated persons. U.S. financial institutions can mitigate the risk of processing such transactions by identifying a list of Exchange Houses and Trading Companies that is believed to be intermediaries for the transfer of funds to the United States from a country that is subject of U.S. sanctions administered by OFAC. Monitoring and due diligence should be performed on transactions from the Exchange Houses and Trading Companies to identify transactions that are similar to the practices above. Banks should also conduct account or transaction reviews of third-country companies with a history of violating or attempting to violate sanctions against Iran, the OFAC said. An Affidavit Program is designed to be used for transactions that are permitted by the sanction requirements in compliance with OFAC regulations. Customers must provide full transaction details and documentation to support the origination of the funds. Although affidavits may be obtained for various sanction programs, currently a majority of affidavits are processed for transfers of personal family wealth from Iran to the U.S. Essentially, customers have assets in Iran in the form of real estate (land or personal residences), checking and savings accounts, or they have an inheritance from a deceased family member. To move the funds into the United States they must first move the money into a non-iranian Bank that is located in a country that is not subject to OFAC s sanctions. They then have the funds wired to a U.S. bank for deposit to a bank account. When this occurs, the incoming funds may trigger a monitoring alert in your funds transfer unit or your bank s transaction screening application. If the customer has not pre-notified the bank of the transaction, the bank may immediately advise the customer s funds transfer be rejected if interdicted in real-time, recommend account closure, and/or recommend termination of the client relationship. Furthermore, the presence of an affidavit does not exempt the client and/or their transactions from SAR filing or other relevant risk mitigation efforts that the bank s BSA program may apply to the customer based on the transactional activities. 6 P a g e

Case Study for Establishment of Affidavit Program One U.S. bank had a small number of Iranian American clients who notified the bank they expected to receive the transfer of personal funds as cash gifts or as inheritances from Iran to the U.S. In accordance with 31 C.F.R. 560.516(a)(2): non-commercial personal remittances from Iran to the United States are authorized to be processed by a U.S. depository institution so long as the funds are transferred from a third country foreign financial institution and the transfer is not related to any type of family-owned business. This rule is commonly referred to as a general license, which means it is an open authorization that OFAC has provided and does not require any specific application and approval in order to be utilized. However, the bank should request guidance from OFAC to ensure that the general license applies to the client s specific facts. For example, inheriting real estate in Iran does not always mean that a U.S. person can sell the property without an OFAC specific license just because it was inheritance and personal in nature. As recommended by OFAC, this bank established an Affidavit Program that was designed to proactively identify, document, and monitor potential transactions involving sanctioned countries. The intent of the Affidavit Program is to obtain signed affidavit from the customer attesting that transactions originating from OFAC comprehensive sanctioned country is permitted, and that the transaction is being processed in full compliance with OFAC sanction regulations. The OFAC Affidavit Program adds an extra level of OFAC risk mitigation to the bank s OFAC compliance program. The bank enhanced their OFAC Compliance Program to establish the parameters that the Affidavit Program would operate within. The bank s Affidavit Program established procedures for obtaining customers signed affidavits, provided controls for monitoring permitted transactions, and promoted transparency by identifying the origin of the funds and the originating country. Comprehensive sanctions prohibit most financial services. For comprehensive sanctions, the bank must review and decision every transaction. For other OFAC sanctions that are list based, the bank is only required to verify that a customer s name does not appear on OFAC s SDN List. Having a written Affidavit Program that is risk based, effectively implemented, and monitored can protect your financial institution, provide greater transparency around the transactions, and help ensure compliance with OFAC sanctions regulations. The alternative is to reject banking services to customers based on their country of origin. Auditing your Bank s Affidavit Program One of the challenges in assessing the effectiveness of your bank s Affidavit Program is a lack of regulatory guidance. What are the risks facing the bank in managing an Affidavit Program. What key controls should be in in place surrounding the program? This begins with the bank s risk assessment. 9 9 Federal Financial Institutions Examination Council (FFIEC). FFIEC BSA/AML Examination Manual 2010. Note: For purposes of this paper the development of OFAC Affidavit Programs Compliance Program was based on guidance provided by the FFIEC BSA/AML Examination Manual for BSA/AML Compliance Programs. http://www.ffiec.gov/bsa_aml_infobase/pages_manual/manual_online.htm 7 P a g e

Risk Assessment Overview: Assessing the risk is one of the most important steps in creating a strong BSA/AML and OFAC/OFAC Affidavit Program compliance program. A robust risk assessment is the starting point for a bank to identify and assess the risk within their customers, products and services, and geographies. A well designed risk assessment defines risk and the areas of risk that require mitigation. Risks are analyzed, considering likelihood and impact, as a basis for determining how they should be managed. Risks are assessed on an inherent and a residual basis. Understanding the risk profile enables management to establish applicable risk-based policies, procedures, systems and controls. Components of the risk assessment enable the bank to monitor the level and direction of risk. Your bank may have a BSA/AML Risk Assessment that includes an assessment of your OFAC and Affidavit Program. It is acceptable for the OFAC risk assessment to be incorporated into the BSA/AML Risk Assessment; however, it is best practice for a large bank to create a stand-alone OFAC Risk Assessment. The same risk management principles that the bank uses for the BSA/AML Risk Assessment should be applied to assessing and managing OFAC risk and the Affidavit Program risk. The risk assessment assists management to appraise that the inherent risk is in line with the internal controls and do not leave any residual risk out of line with the BSA/AML/OFAC Risk Appetite. Audit Objective: Ensure there is a comprehensive risk assessment with sufficient level of detail related to the Affidavit Program to fully identify, document and assess the risks associated with transactions to or originating from high-risk jurisdictions. The risk assessment should demonstrate management s understanding of the risk incurred, and the mitigating factors and controls in place. Risk Appetite Overview: Organizations encounter risk every day as they pursue their objectives. In conducting appropriate oversight, management and the board must deal with a fundamental question: How much risk is acceptable in pursuing these objectives? Added to this, regulators and other oversight bodies are calling for better descriptions of organizations risk management processes, including oversight by the board. 8 P a g e

COSO s Enterprise Risk Management Integrated Framework 10 defines risk appetite as follows: The amount of risk, on a broad level, an entity is willing to accept in pursuit of value. It reflects the entity s risk management philosophy, and in turn influences the entity s culture and operating style. Risk appetite guides resource allocation. Risk appetite [assists the organization] in aligning the organization, people, and processes in [designing the] infrastructure necessary to effectively respond to and monitor risks. As the bank decides on its objectives and its approach to achieving strategic goals, it should consider the risks involved, and its appetite for such risks, as a basis for making those important decisions. What is the bank s risk appetite for processing transactions under the Affidavit Program? The BSA/AML/OFAC risk appetite should coincide with other aspects of the overall bank risk appetite. Audit Objective: Ensure that management has considered the Bank s BSA/AML/OFAC Risk Appetite as it relates to the OFAC Affidavit Program. The risk appetite should provide management with an understanding of activities it is willing to engage in. This also includes decisions in setting documentation standards for customers transferring funds into the bank that originate from OFAC sanctioned countries. Internal Controls Overview: The FFIEC BSA/AML Manual defines internal controls as the bank s policies, procedures, and processes designed to limit and control risk and to achieve compliance with the BSA. The level of sophistication of the internal controls should be commensurate with the size, structure, risks, and complexity of the bank. The same principles should be applied to the internal controls over the OFAC Affidavit Program. The bank must implement a written OFAC Program that includes policy, procedures, screening systems, and internal controls to comply with the OFAC regulations. Internal controls also address a broad range of recordkeeping, monitoring, and reporting processes. Regulators expectations have increased for management to ensure policies and procedures address key risks. Detailed procedures should establish and execute policy parameters under which the OFAC Affidavit Program will run. Key controls in an Affidavit Program include: 1.) Multiple screening criteria to identify potential payments of concern in either real-time or post-transaction. By doing so, the bank is 10 Understanding and Communicating Risk Appetite. Research Commissioned by COSO, Committee of Sponsoring Organizations of the Treadway Commission. August 2012 http://www.coso.org/documents/erm-understanding%20%20communicating%20risk%20appetite-web_final_r9.pdf 9 P a g e

ensuring that it is maximizing the transactions it is monitoring and thus vetting for compliance with OFAC s regulations; 2.) Collecting sufficient supporting documentation to demonstrate the specific origin of the funds and to further support that the given transaction meets the criteria of OFAC s authorization. Minimum due diligence and documentation requirements should be defined by policy and procedures to support the source of funds originating from the sanctioned country and ensure potentially suspicious activity is identified and reported. Officially translated documentation should be obtained for non- English supporting documentation. Audit Objective: Assess the adequacy of the system of internal controls to manage risks associated with the processing of transactions with an OFAC sanctioned jurisdiction. Determine whether the OFAC Affidavit Program includes policies, procedures, and processes that are commensurate with the level of risks with customers, services and products, and geographic locations. Additionally consider whether procedures and processes address the following: Level of approval requirements for approving or rejecting a transaction. Process for referring unusual or suspicious transactions for investigation and SAR filing. Documentation requirements to support the origin of the funds and the originating country. Recordkeeping requirements. Monitoring Overview: Monitoring processes include automated system monitoring and manual monitoring. Monitoring process may include any of the following: Monitoring to identify wires processed through Exchanges Houses and Trading Houses believed to be intermediaries for the transfer of funds to the United States from a country that is subject of U.S. sanctions administered by OFAC. Monitoring of new accounts to identify owners who declare citizenship from OFAC sanctioned countries. Customers may use a passport issued by a sanctioned country as proof of identity or list an address located in a sanctioned country for international wire activity that may constitute a remittance to/from a sanctioned country. Educational OFAC-related information can be provided to educate customers regarding the relevant OFAC sanction programs and explain the bank s obligations under a particular sanctions program. Periodic monitoring of customers with known ties to OFAC sanction countries to determine that the account owners still reside in the U.S. or whether they have returned and permanently resides in the OFAC sanctioned country. 10 P a g e

Automated transaction monitoring solutions help the bank to monitor customer s transactions in a quick and efficient manner. Automated transaction monitoring can identify funds transfers from high risk jurisdictions and trading houses. When reviewing the alerts generated from automated transaction monitoring, the employee should identify transactions in which the funds may have originated from a sanctioned country. Investigation of the activity may include contact with the customer to inquire of the origination and source of the funds. Customer may provide the bank with documentation to support that the transaction was permitted in accordance with OFAC general license. An affidavit may be signed by the customer at that time attesting that transaction was a non-commercial personal remittance. The bank should investigate and periodically monitor the customer for unusual activity from both a BSA/AML and an OFAC compliance perspective. A SAR filing is required when suspicious activity is identified. Enhanced monitoring may be performed once a client submits an affidavit to ensure that the transactions noted in the affidavit are commensurate with the client s expected transaction activity. Monitoring and due diligence can include the research of facts surrounding the affidavit associated with the client, the client s overall transaction activity, and include an overall evaluation of the client as gathered from internal and external sources. A review may be expanded to include all joint account owners to the signer of the affidavit, as well as their associated parties to determine whether or not incoming wires or cash deposits (if relevant) have occurred through related party accounts. Audit Objective: Assess the bank s monitoring processes and controls to evaluate whether it is risk based and appropriate based on the OFAC/OFAC Affidavit Program risk assessment and the policy and procedures. Review a sample of customers and transactions processed under the Affidavit Program to evaluate the adequacy of the bank s compliance with OFAC sanctions requirements and to determine the effectiveness of the Affidavit Program policies, procedures and processes. Ensure the transactions meet the requirements for supporting documentation, recordkeeping, and escalation for reporting of suspicious activity. Interdiction software Overview: Banks are continually updating interdiction software to assist in the identification and rejection of transactions within their institutions. Given the relatively low cost of interdiction software and the high cost of violating OFAC regulations, maintaining current, relevant software is a necessary investment for banks. The following are examples that may be used by your bank for monitoring your Affidavit Program: 11 P a g e

Exchange Houses and Trading Companies Rejection List. Many U.S. banks use interdiction software to monitor wire transactions against an Exchange Houses and Trading Companies Rejection list. The interdiction software will cause funds transfers processed by the Exchange Houses and Trading Companies to reject. The bank personnel should review the wire to determine whether the funds originated from a sanctioned country and block or reject any wire with apparent commercial use, or unclear source of funds. Furthermore, any wires involving funds originating from a sanctions jurisdiction that have not been pre-screened and are without the customer s affidavit and supporting documentation should be rejected. If the bank had processed the wire without additional information, the bank could be subject to violation of OFAC s regulations. IP Addresses to Block Online Access. Regulators worldwide are increasingly focused on the online activities of sanctioned entities. Governments have focused on curtailing access points to traditional financial networks, including bank accounts and payments made between financial institutions. As an additional layer of security, many banks block access from a sanctioned country based on their IP addresses to prevent access to the banks electronic banking products and services. 11 Given the blocking of the access, customers will not be able to access their accounts via the web or use their debit and credit cards while in the sanctioned country. Audit Objective: Ensure that the automated interdiction software used by the bank incorporates the most recent version of the OFAC list and that updates to the OFAC list are incorporated into the automated interdictions software within a time frame approved by your bank s OFAC policy. Review the process and analysis to maintain the Exchange Houses and Trading Companies Rejection List and trace changes to the list to the automated system for accuracy and completeness. Review a sample of wire transactions subject to the Exchange Houses and Trading Companies Rejection List to assess the decision and approval process to reject or allow the wire to be processed. Assess the reasonableness of the software program to block access to those parties operating with IP addresses linked with sanctioned countries. Employee Training Overview: Training is a core requirement and key pillar of a satisfactory BSA/AML/OFAC program. Suitable training must be provided for all appropriate personnel. Training should include appropriate overview of the OFAC and the U.S. Sanctions regulatory requirements, as well as the bank s internal policies, procedures, 11 Veri-site - Sanctioned Entities Online. Out of Country IP addresses (6/7/14) http://www.veri-site.com/regulations-guidelines-sanctioned.html 12 P a g e

and processes. Employees should have sufficient knowledge of the bank s Affidavit Program to understand what it is intended to accomplish. Training should be tailored to be more job specific for employees working in areas with greater responsibilities for compliance with the OFAC and the bank s Affidavit Program. For example, customer facing employees need to know who to contact when customers inquire about the OFAC sanction programs or have questions about transactions that they may be expecting to conduct with a sanctioned country. Training should be ongoing and incorporate current developments and changes to the OFAC and U.S. sanctions. Employees should be familiar with the relevant prohibitions and understand the impact that violations of OFAC and U.S. sanction requirements can have on the bank and individuals. Changes to internal policies, procedures, processes, and monitoring requirements should also be covered during training. The bank should document their training programs. Training and testing materials, the dates of training sessions, and attendance records should be maintained by the bank and be available for review by internal auditors and regulators. Audit Objective: Ensure all appropriate employees receive initial and ongoing training on all aspects of OFAC and the Affidavit Program. Training should be comprehensive and tailored to the business units particular compliance risks and the employee s responsibilities. Ensure documentation of attendance records and training materials are maintained. 13 P a g e

Ready to test your AML IQ? 12 Check your answer on last page Independent Audit The International Standards for Professional Practice of Internal Auditing (Standards) 13 published by the Institute of Internal Auditors address the independence and objectivity of audit as follows: 1100 Independence and Objectivity The internal audit activity must be independent, and internal auditors must be objective in performing their work. 12 AML Quizzes. ACAMS moneylaundering.com/resources (6/7/14) http://www.moneylaundering.com/quizzes/pages/amlquizzes.aspx 13 The International Standards for Professional Practice of Internal Auditing (Standards) Published by the Institute of Internal Auditors. Revised Standards, Effective January 1, 2013 https://na.theiia.org/standards-guidance/public%20documents/ippf%202013%20english.pdf 14 P a g e

Audit staff should have good understanding of the BSA/ AML and OFAC regulations as well as sufficient subject matter expertise and training of the bank s OFAC and OFAC Affidavit Programs Compliance Program including policy and procedures, internal controls, and the applicable systems. The Audit team should have the authority to escalate issues and challenge management. Work papers prepared by auditors must be well documented and support the scope, results and conclusions of the audit. Issues should distinguish between Violations, bank policy exceptions, and general recommendations. The Audit Report should be clear and concise and articulate the issues and risks to the bank. Conclusion Since 2010, there has been an increase in the number of enforcement actions where major international financial institutions have agreed to forfeit billions of dollars to the U.S. Government in connection with apparent violations of U.S. Sanctions programs. Critics, however, question whether fines are enough to deter this behavior. In response, big banks are rejecting banking relationships and exiting good customers in an effort to de-risk the bank s overall risk profile. U.S. Sanctions are directed towards certain foreign countries, their governments, and in certain circumstances, individuals and organizations. OFAC provides some specific regulatory provisions for exemptions from the sanction to allow certain banking transactions to occur. Banks have an obligation to assist our customers with processing transactions that are exempt from the U.S. Sanctions. Establishing an Affidavit Program that is risk based, effectively implemented, and monitored can protect your financial institution, provide greater transparency around the transactions, and help ensure compliance with OFAC sanctions regulations. A win win for both the bank and the banks customers. Consider the controls and the best practices for auditing the Affidavit Program described in this paper to develop an independent audit program that is commensurate with your bank s risk profile. The audit program should assess the adequacy of the OFAC and OFAC Affidavit Programs Compliance Program including policy and procedures, internal controls, training, and independent audit. A well-designed audit program executed by qualified audit staff with good understanding of the regulations is essential in evaluating the effectiveness of the bank s Affidavit Program. 15 P a g e

Exhibit A OFAC administers a number of different sanctions programs. The sanctions can be either comprehensive or selective, using the blocking of assets and trade restrictions to accomplish foreign policy and national security goals. Disclaimer: The following references provide general information and should not be used or taken as legal advice. These are not intended to be a complete summation of U.S. sanction regulations and should not be relied on as current or complete. For additional information about these and other sanctions please visit: 31 CFR 560.550 for the Iran authorization Certain noncommercial, personal remittances to or from Iran authorized. (a) In cases in which the transfer involves a noncommercial, personal remittance, the transfer of funds to or from Iran or for or on behalf of an individual ordinarily resident in Iran, other than an individual whose property and interests in property are blocked pursuant to 560.211, is authorized, provided that the transfer is processed by a United States depository institution or a United States registered broker or dealer in securities and not by any other U.S. person; does not involve debiting or crediting an Iranian account; and is not by, to, or through the Government of Iran, as described in 560.304. (b) Noncommercial, personal remittances do not include charitable donations to or for the benefit of an entity or funds transfers for use in supporting or operating a business, including a family-owned enterprise. (c) The transferring institutions identified in paragraph (a) of this section may rely on the originator of a funds transfer with regard to compliance with paragraph (a) of this section, provided that the transferring institution does not know or have reason to know that the funds transfer is not in compliance with paragraph (a) of this section. 31 CFR 515.570 for the Cuba authorization. VI. SENDING OR CARRYING MONEY TO CUBA: REMITTANCES Certain remittances to Cuban nationals are authorized pursuant to 515.570 of the Regulations. (a)family remittances: Individual persons subject to U.S. jurisdiction who are 18 years of age or older are authorized to send remittances to a close relative who is a Cuban national, whether in Cuba or in a third country. Please see 515.339 of the Regulations for the definition of close relative. No family remittances may be sent to a prohibited official of the Government of Cuba or a prohibited member of the Cuban Communist Party as defined in 515.337 and 515.338, respectively. There is no limit on the amount of family remittances or the frequency with which they may be sent. Please see 15.570(a). 16 P a g e

(b) Periodic $500 remittances: Persons subject to U.S. jurisdiction are authorized to make periodic remittances of up to $500 to any Cuban nationals, including, but not limited to, remittances to support the development of private businesses. A remitter s total remittances to any one Cuban national may not exceed $500 in any consecutive three-month period, and the remitter, if an individual, must be 18 years of age or older. No periodic $500 remittances may be sent to a prohibited official of the government of Cuba or a prohibited member of the Cuban Communist Party. Please see 515.570(b) of the Regulations. (c) Remittances to religious organizations in Cuba: Persons subject to U.S. jurisdiction are authorized to make unlimited remittances to religious organizations in Cuba in support of religious activities. The remitter, if an individual, must be 18 years of age or older. Please see 570(c) of the Regulations. (d) Remittances to students in Cuba pursuant to an educational license: Persons subject to U.S. jurisdiction who are 18 years of age or older are authorized to make remittances to close relatives who are students engaging in authorized educational travel in Cuba. The remittances must be for the purpose of funding transactions authorized by the license under which a student is traveling. Please see 515.570(d) of the Regulations and 515.339 for the definition of close relative. (e) Emigration-related remittances: Persons subject to U.S. jurisdiction are authorized to send two separate one-time remittances per Cuban national payee to enable the payee to emigrate from Cuba to the United States. One remittance of no more than $1,000 per payee, for the purpose of covering the payee s preliminary emigration expenses, may be sent before the payee has received a valid visa from the Department of State or other approved U.S. immigration documents. Up to an additional $1,000 per payee, for the purpose of enabling the payee to emigrate from Cuba to the United States may be sent after the Cuban national has received a visa or other approved U.S. immigration documents. At the time such a remittance is sent, the remitter must be able to provide the visa recipient s full name, date of birth, visa number, and visa date of issuance. Please see 515.570(e) of the Regulations. 31 CFR 542.512 for the Syria authorization Certain types of activities and transactions which would otherwise be prohibited with respect to Syria have been authorized by general licenses, subject to certain conditions and limitations. Those licensed activities and transactions include: o The exportation and reexportation of items to Syria from the United States or by U.S. persons to any person, including the Government of Syria, whose property or interests in property are blocked, provided that the Department of Commerce has licensed or otherwise authorized the export of those items; o Noncommercial, personal remittances to or from Syria or on behalf of individuals ordinarily resident in Syria, as long as the transfer is not by, to, or through the Government of Syria or any other person whose property and interests in property are blocked; 17 P a g e

o Transactions related to U.S. persons residing in Syria; o The export and reexport of services in support of humanitarian and other not-for-profit activities in Syria by U.S. and third-country non-governmental organizations; and o Certain transactions related to intellectual property protection. o Please see 31 C.F.R. 542 subpart E and visit for additional information about these and other general licenses. 31 CFR 538.528 for Sudanese Sanctions Regulations Regulated U.S. depository institutions, broker-dealers and money service businesses (MSBs) are authorized to send and receive personal remittances to and from Sudan, provided that such transfers are not processed through a bank owned or controlled by the Government of Sudan. U.S. depository institutions and broker-dealers are authorized to operate accounts for individuals normally resident in Sudan, provided that all transactions through the account are personal in nature and are not related to commercial activity in Sudan. 18 P a g e

ACAMS AML Quiz 14 Test Your AML IQ from page 12 15 14 AML Quizzes. ACAMS moneylaundering.com/resources (6/7/14) http://www.moneylaundering.com/quizzes/pages/amlquizzes.aspx 15 U. S. Department of Treasury. Resource Center, OFAC Frequently Asked Questions http://www.treasury.gov/resource-center/faqs/sanctions/pages/answer.aspx#118 19 P a g e